Only displayed when the -issuer_checks option is set.Īuthority and issuer serial number mismatch The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set.Īuthority and subject key identifier mismatch The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. The root CA is marked to reject the specified purpose. The root CA is not marked as trusted for the specified purpose. The supplied certificate cannot be used for the specified purpose. The basicConstraints pathlength parameter has been exceeded. Either it is not a CA or its extensions are not consistent with the supplied purpose. The certificate chain length is greater than the supplied maximum depth. No signatures could be verified because the chain contains only one certificate and it is not self signed. this occurs if the issuer certificate of an untrusted certificate cannot be found. The issuer certificate could not be found. The certificate chain could be built up using the untrusted certificates but the root could not be found locally. Self signed certificate in certificate chain The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates. The CRL nextUpdate field contains an invalid time.Īn error occurred trying to allocate memory. The CRL lastUpdate field contains an invalid time. The certificate notAfter field contains an invalid time. The certificate notBefore field contains an invalid time.įormat error in certificate’s notAfter field that is the notAfter date is before the current time.įormat error in certificate’s notBefore field the notBefore date is after the current time. The signature of the certificate is invalid. The public key in the certificate SubjectPublicKeyInfo could not be read.
This means that the actual signature value could not be determined rather than it not matching the expected value. The CRL signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. The certificate signature could not be decrypted. Unable to decrypt certificate’s signature The CRL of a certificate could not be found. This normally means the list of trusted certificates is not complete. The issuer certificate of a looked up certificate could not be found.
#Openssl sclient code#
(I blatantly grabbed this from here!) Error Code Here’s a quick list of common return codes: You’ll also get an official “Verify return code” which can be used to diagnose any SSL/TLS issues. option to display the entire certificate chain which is useful for validating your intermediates. Openssl s_client -starttls imap -crlf -connect some_imap_server:143 #IMAP Openssl s_client -starttls smtp -crlf -connect :587 #SMTPS openssl s_client -connect #HTTPS openssl s_client -starttls ftp -connect some_ftp_:21 #FTPES openssl s_client -starttls smtp -crlf -connect :25 #SMTP So I figured I’d put a couple of common options down on paper for future use. I use openssl’s s_client option all the time to verify if a certificate is still good on the other end of a web service.
0 kommentar(er)
